If you’re reading this, it’s probably because you’re as concerned as we are about ransomware. We know that ransomware has been wreaking havoc on healthcare, cities, governments and other larger organizations, and truly we should be concerned.
That’s why we’re back here again with our latest edition of Ransomware: It’s Time To Get Serious (and we’re here to help!). I’m Anne Genge, CEO of Alexio, and certified privacy & security professional, specializing in small healthcare practices. Welcome, and I’m really glad you joined us today.
hy this is so important
Usually when we’re doing these types of webinars – similar to the pieces I’ve put together with the Canadian Dental Association on Oasis, which we do a ransomware update about every 6 months or so – we talk a lot about what types of measures you should be putting in place.
Even after providing the information and giving a checklist, dental offices in particular are STILL becoming the tragic victims of ransomware, viruses and other types of cyber-criminal behaviour.
That’s why I thought what we’d do today is take just a few minutes and have a high-level look at the six main mistakes that are occurring in dental offices.
The 6 most common ransomware mistakes:
1. There is this idea out there that the IT guy has it covered.
I find this in many practices before they become a client. There’s this parking of trust that things are mysteriously taken care of by this magical IT person, without having any proof at all that they have the necessary layers of security or the types of training that staff need to keep data safe and secure.
What we find is that many IT contractors only fill a role of fixing things when they’re broken; it’s a reactive role. meaning practices are left spending money cleaning up disasters instead of preventing them.
Ransomware is highly preventable and as a small healthcare practice there are tools to ensure you never have to pay a ransom or suffer major data loss and downtime. Until now there haven’t been a lot of PRO-active cyber-security solutions or failover server tools, and even less presence of cyber-security certified professionals having oversight in these practices. Alexio fills that gap.
2. Practice has not had a cyber-security risk assessment
For cyber-security risk assessments – when we facilitate them, and primarily on smaller healthcare practices – we see a very low percentage of practices passing at all. In fact, only 9% pass the basics of the cyber-security risk assessment, so we always have a pretty big list of gaps and vulnerabilities for their systems.
Sometimes it’s an oversight by the IT provider that’s taking care of the practice; sometimes IT has suggested upgrading certain systems but the healthcare provider hasn’t understood the return on investment and extra protection they would get from that.
We often see massive gaps in backup procedures. One of the biggest reasons we have so much data lost – especially in dentistry – is that the backups might be in existence, but they’ve never been tested to see if that data is recoverable.
This is why a cyber-security risk assessment is one of the biggest oversights: IT providers don’t facilitate them, practices don’t know where to get them, or perhaps they don’t see the value. In fact, most dental practices can get a risk assessment done for $400-$500, making it a very worthwhile expenditure to find out what your gaps are so they can be addressed.
3. No cyber-security awareness training
The next mistake we see is that roughly 90% of all breaches can be attributed to human error. In fact, you may have heard the reports of this causing huge breaches for three major, globally-recognized entities in the last year. Human error can be your users, your IT and 3rd parties, or even you as a practice owner for failing to act on recommendations for cyber-security solutions to protect your data.
Social engineering and phishing, which are tactics used by cyber criminals, have really ramped up, and hackers are truly doing a phenomenal job of tricking your staff. We need to make sure that these people on your team have access to training that makes sense to them. While that’s easy enough to do, but we still see many practices NOT doing this.
An important addendum to that is that many practices still have no policies about computer use and what’s acceptable with regards to accessing the internet and downloading things – and this is what I would consider one of the bigger mistakes as well.
4. Systems and applications not getting security updates
The operating systems in your computers need regular updating, and sometimes it can even be daily. It’s crucial to run these security updates in order to patch the holes in the code.
Unfortunately, many people are not bothering to ensure that this happens. They might think that they’re paying someone to do it, and yet they’re still not being brought up to date properly.
We have done risk assessments where we can see that no updates have been completed for up to 3 years. These are big mistakes that are leaving businesses vulnerable to attacks like viruses or ransomware, and it can be the cause of other events that can be quite crippling to your practice. Security automation is a new solution to ensure this happens and reports on progress daily.
5. Relying on cheaper antivirus instead of managed intrusion prevention & detection
Most antivirus programs – especially if they aren’t kept updated – are virtually useless. You need what’s called “intrusion prevention and detection” security.
This needs to be monitored, and you need to have an array of technical safeguards in place. You need things like basic password protocol, including difficult passwords (and you MUST make sure that you’re not using the same passwords throughout your practice).
Also, unique users, 3rd parties, IT and software providers should be tracked. You should have safeguards that block people from accessing sites and applications they shouldn’t be on; these can put your practice’s systems at risk.
6. Inadequate, untested backup, and no disaster planning
This is a mistake that is truly unforgiveable in this day and age. There is no reason that any business – including a small healthcare practice – should not be able to recover from a data disaster.
However, simply having a backup drive plugged into the computer is not going to cut it. When we do a disaster plan – for, let’s say, a dental office – we have a minimum of three different data sets that live in three different places and in different ways, following the 3-2-1 rule.
The best plan is to use a technology called virtualization.
Virtualization means that you can keep working virtually, no matter what happens, because you have an exact copy of YOUR system running on ANOTHER system. You can begin using it in minutes with almost no down-time, in case something bad happens to the regular network.
It also means that you know for certain each day that your backup is recoverable, and that your disaster system works. It also means that you rarely have any data loss whatsoever, which is what’s crucial to your practice success and to your patients.
Why relying on ‘paying the ransom’ is so dangerous:
We sometimes hear people say, “Well, I’ll just pay the ransomware and that’s fine.” However, I’ll tell you that I’ve recently been contacted by dental practices that have been held ransom for anywhere from $22k-165k, and that’s still a ton of money; most practices will notice if they need to go out-of-pocket for that amount.
However, the other important note about paying ransom is that – YES – you might get some of your data back, but there is often as much as 15% of data lost following a ransomware attack.
So you see, having that as a solution – that ‘you’ll just pay it when it happens’ – is not a reasonable plan.
Do a disaster plan, even if it’s just a ‘one-pager’
We recommend you engage with a cyber-security professional to put this plan in place.
Using a professional 3rd party to facilitate the assessment will ensure you catch the blind spots not seen by those who set up and manage the network. There are aways blind spots, and catching them is the whole point. It doesnt mean you have bad IT, but it’s very difficult to ‘vet’ your own work, especially when you don’t have access to the same tools or expertise used by a specialized cyber-security company.
Here’s how to get your practice on track
One of the first things that we can do for you is a cyber-security risk assessment where we can find out:
- Are there holes in your fire wall? Have the network and systems been set up properly to safeguard you from cyber-crime and other cyber-threats? What does your backup look like?
- What amount of time might it take for you to recover, based on the backup that you’re using at this time? What is the likelihood that you’ll be likely to recover?
Along with many other risk measurements, we will put together all discovered vulnerabilities in a comprehensive report for you.
We will provide you with the plan to fix those gaps, plus provide a consultation with a Certified Cyber-Security Risk Manager to help you understand the results and where to start.
Size doesn’t matter
We’re here for you to really make sure that you have the same type of protections that hospitals or any other larger organization would have, but at a budget that makes sense for you.
The types of tools that we have – specifically for ransomware – include:
- Ransomware vulnerability assessments
- Cyber-security awareness training for staff, managers, and IT providers
- Network & system risk assessments
- Alexio Defender – a complete computer security suite
- 2nd Server – Failover server/backup solutions/disaster recovery
- Advanced ransomware protections and prevention built into our system’s security
It’s time to get serious, but you’re not alone
Please follow our social channels! Every day we post helpful tips, strategies, and intel to help you and your staff bulletproof your data against nasty cyber-threats.